Windows registry forensics

While forensic investigations, windows registry values are treasures. Although registry values can be accessed both through “regedit” UI and through “reg query” command, the power of a script to query and perform Windows registry forensic in code is much more. Python provides access to Windows registry through _winreg library. In this article I am going to review code snippets from “Violent Python: a Cookbook for Hackers” book to read registry values by a python script.

Data about previously connected wireless networks are stored in "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" key. You can access windows registry either through registry editor (Run -> regedit) or by typing “reg query [key]” in command prompt.

The script for querying the mentioned key and printing name and Mac Address of the connected wireless networks is as follows:

#Windows registry forensic

from winreg import *

def val2addr(val): #Convert the binary value to Mac-Address format

                addr = ''

                for ch in val:

                                addr += '%02x '% ch

                                addr = addr.strip(' ').replace(' ', ':')[0:17]

                return addr

def printNets():

                net = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"+\

                "\\NetworkList\Signatures\\Unmanaged"

                key = OpenKey(HKEY_LOCAL_MACHINE, net)

                print('\n[*] Networks You have Joined.')

                for i in range(100): #printing up to 100 networks

                                try:

                                                guid = EnumKey(key, i)

                                                netKey = OpenKey(key, str(guid))

                                                (n, addr, t) = EnumValue(netKey, 5) #5th value is the Mac address

                                                (n, name, t) = EnumValue(netKey, 4) #4th value is the network’s name

 

                                                macAddr = val2addr(addr)

                                                netName = str(name)

                                                print('[+] ' + netName + ' ' + macAddr)

                                                CloseKey(netKey)

                                except:

                                                break

def main():

                printNets()

if __name__ == "__main__":

                main()

 

This is not the original Windows registry analysis script from the aforementioned book, because that script was written for Python 2.6 and on 64 bits Windows it was not working at all. To run the script first install python3 for 64 bits windows and then add the Python folder to your PATH environment vaiable(you can do that from Advanced system settings -> Advanced tab -> Environment variables -> Edit PATH variable). After that open command prompt with administrator privilege and type:

'python [Path-to-this-script]\[script-name].py'

Convert SSID to username

EnumValue function is not the only way of retrieving a key value. For example to convert SSIDs, if you’re curious how you can retrieve SSIDs have a look at hidden folders in C:\[RECYCLER]|[Recycled]|[ $Recycle.Bin], to a username you can query "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\[SID]" key from HKEY_LOCAL_MACHINE using QueryValueEx function:

# Windows registry analysis script

key = OpenKey(HKEY_LOCAL_MACHINE,

"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

+ '\\' + sid)

(value, type) = QueryValueEx(key, 'ProfileImagePath') # the value is like %SystemDrive%\Documents and Settings\sina

user = value.split('\\')[-1] # to get the ‘sina’ from value we read the text after last \

return user

 

 

Read 538 times Last modified on Monday, 24 August 2015 11:32
Rate this item
0
(0 votes)
About Author
Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Advanced Programming Concepts
News Letter

Subscribe our Email News Letter to get Instant Update at anytime